Data Processing Agreement (DPA)

Introduction

 

This Data Processing Addendum (“Addendum”) including its Annexes and Appendices forms part of the “Master Agreement” and is made by and between the Customer (Data Controller) and Pexip (Data Processor). 

 

WHEREAS, both Data Controller and Data Processor may be collectively referred to as the Parties; 

 

WHEREAS, the Parties have agreed that it will be necessary for Pexip to process certain personal data on behalf of the Data Controller; and 

 

WHEREAS, in light of this processing, the Parties have agreed to the terms of this Addendum to address the compliance obligations imposed upon them pursuant to the Data Protection Laws listed under Sec 1.2 below as applicable; 

 

NOW THEREFORE, the Parties hereby agree as follows. 

 

 

1. Subject Matter of this Data Processing Addendum 

 

1.1 This Addendum applies primary to the processing of personal data that is subject to Data Protection Law for the provision of the Pexip deliverables (“Services”), as defined in Master Agreement.

 

1.2 The term “Data Protection Law” shall mean all applicable laws relating to data protection, the processing of personal data by Pexip including, 

 

1.2.1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”);

 

1.2.2 Regulation EU 2018/1725 of the European Parliament and of the Council of 23 October 2018

 

1.2.3 UK GDPR (General data protection regulation – Keeling schedule) and United Kingdom’s Data Protection Act 2018

 

1.2.4 The Brazilian General Data Protection Law or “Lei Geral de Proteção de Dados Pessoais” (“LGPD”) as amended by Law No.13,853/2019.

 

1.2.5 the Swiss Federal Act on Data Protection ("Swiss FADP").

 

1.2.6 the Japan APPI (Act on the Protection of Personal Information).

 

1.2.7 CCPA - California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.199) as amended by California Privacy Rights Act of 2020 (CPRA) and the California Consumer Privacy Act Regulations (Cal. Code Regs. tit. 11, §§ 999.300 to 999.337) as amended or superseded from time to time (the “CCPA”), and any related regulations or guidance provided by the California Attorney General.  

 

1.2.8 Any national data protection law implemented by an EU/EEA member to supplement the GDPR, such as but not limited to Norwegian Personal Data Act, Germany’s Bundesdatenschutzgesetz (BDSG), Denmark’s Data Protection Act, etc. as relevant to the jurisdiction and the processing of personal or sensitive information.  

 

1.2.9 Any equivalent applicable legislation in any jurisdiction in which the Data Controller is established to the extent applicable to the Data Controller. The above-mentioned legislations as amended, consolidated, restated or re-enacted from time to time.

 

1.3 Insofar as Pexip will be processing Personal Data subject to Data Protection Law on behalf of the Data Controller in the course of the performance of the contracted services with the Data Controller the terms of this Addendum shall apply. An overview of the categories of Personal Data, the types of data subjects, and purposes for which the Personal Data are being processed is provided in Annex 2.

 

1.4 Definitions: 

 

1.4.1 Master Agreement shall mean "Standard Terms for Pexip Deliverables" as available on www.pexip.com/terms or “Engage Terms” or "Service Provider License Agreement” or “Terms for Deliverables” or Order Form or any other written agreement with Pexip.  If you have contracted through a partner, then it includes their Agreement (“Reseller Agreement” or “Distributor Agreement”) with Pexip.

 

1.4.2 Customer refers to End Customer who uses Pexip Services or any Contracting Party to Pexip who signed the Master Agreement.

 

1.4.3 Data Protection Law shall mean all applicable laws relating to data protection, the processing of personal data by Pexip, including those noted in Section 1.2 above.

 

1.4.4 Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

1.4.5 Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

1.4.6 Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

1.4.7 Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

 

1.4.8 Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

1.4.9 Service Provider means the for-profit legal entity that processes personal information on behalf of a business pursuant to a written contract for a business purpose.

 

1.4.10 Data Subject means any living individual whose personal data is collected, held or processed by an organisation.

 

1.4.11 “Standard Contractual Clauses" means: (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0” issued by the Information Commissioner’s Office under s.119A (1) of the United Kingdom Data Protection Act 2018  in respect of the transfer of such Personal Data ("UK SCCs") and (iii) where the Swiss FADP applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC") (the "Swiss SCCs").

 

 

2.  Roles and Responsibilities 

 

2.1 The Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by Pexip. Pexip will process the Personal Data only as set forth in Data Controller’s written instructions.

 

2.2 Where Pexip acts as a Controller for the categories of data specified in this Addendum, it will process the personal data for the contracted purposes only and shall strictly adhere to the Purpose Limitation principle.

 

2.3 Where Pexip is a Processor, it will only process the Personal Data on documented instructions of the Data Controller (including with regard to transfers of personal data to a third country or an international organization, unless required to do by Union or Member State law to which Pexip is subject) in such manner as, and to the extent that, this is appropriate for the provision of the Services, except as required to comply with a legal obligation to which Pexip is subject. In such a case, Pexip shall inform the Data Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Data Controller. Pexip shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. Pexip shall immediately inform the Data Controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

 

2.4 The Parties have entered into an agreement in order to benefit from the expertise of Pexip in securing and processing the Personal Data for the purposes set out in Annex 2. Pexip shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this Addendum.

 

2.5 Data Controller warrants that it has all necessary rights to provide the Personal Data to Pexip for the Processing to be performed in relation to the Services. To the extent required by applicable Data Protection Law, Data Controller is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Data Controller is responsible for communicating the fact of such revocation to Pexip, and Pexip remains responsible for implementing any Data Controller instruction with respect to the further processing of that Personal Data. 

 

 

3. Confidentiality 

 

3.1 Without prejudice to any existing contractual arrangements between the Parties, Pexip shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. Pexip shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality. 

 

 

4. Security 

 

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, the Data Controller and Pexip shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include as appropriate: 

 

4.1.1 measures to ensure that the Personal Data can be accessed only by authorised personnel for the purposes set forth in Annex 2 of this Addendum;

 

4.1.2 In assessing the appropriate level of security, account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;

 

4.1.3 the pseudonymisation and encryption of personal data;

 

4.1.4 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

 

4.1.5 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

 

4.1.6 a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data;

 

4.1.7 measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller; and

 

4.1.8 the measures agreed upon by the Parties in Annex 3.

 

4.2 Pexip shall at all times have in place an appropriate written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Section 4.1. 

 

4.3 At the request of the Data Controller, Pexip shall demonstrate the measures it has taken pursuant to this Section 4 and shall allow the Data Controller to audit and test such measures. The Data Controller is entitled to conduct such audits once a year. The Data Controller shall be obligated on giving at least 14 days’ notice to Pexip to carry out, or have carried out by a third party who has entered into a confidentiality agreement with Pexip, audits of Pexip´s premises and operations as these relate to the Personal Data processed under this Addendum. Pexip shall cooperate with such audits carried out by or on behalf of the Data Controller and shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the Processing of the Personal Data. Pexip shall provide the Data Controller and/or the Data Controller´s auditors with access to any information relating to the Processing of the Personal Data as may be reasonably required by the Data Controller to ascertain Pexip´s compliance with this Addendum. The Data Controller shall bear any costs related to audits initiated by the Data Controller or accrued in relation to audits of the Data Controller, including compensation to Pexip for reasonable time spent by it and its employees complying with on premises audits. Pexip shall nevertheless bear such costs if an audit reveals non-compliance with this Addendum or the Data Protection Law.  

 

5. Improvements to Security 

 

5.1 The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Pexip will therefore evaluate the measures as implemented in accordance with Section 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Section 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable Data Protection Law or by data protection authorities of competent jurisdiction.

 

5.2 Where an amendment to the Agreement is necessary in order to execute a Data Controller instruction to Pexip to improve security measures as may be required by changes in applicable Data Protection Law from time to time, the Parties shall negotiate an amendment to the Agreement in good faith. 

 

 

6. Data Transfers 

 

6.1 If the storage and/or processing of Personal Data involves transfers of Personal Data out of the EEA, then Pexip shall be obliged to meet at least one of the following conditions:  

 

6.1.1 ensure the destination meets the European Commission’s level of adequacy per Article 45 of the Regulation (GDPR); or

 

6.1.2 ensure the destination employs an approved European Commission legal mechanism; or  

 

6.1.3 ensure the destination has entered into an acceptable EU Model Contract Clauses specifying the appropriate importer and exporter designations, requirements and safeguards; or  

 

6.1.4 employs an alternative solution that meets the requirements of the European Commission such as Binding Corporate Rules per Article 63 of the Regulation.

 

6.2 Annex 4 provides a list of transfers for which the Data Controller grants its consent upon the conclusion of this Addendum. Revocation of consent may be made by discontinuing use of the service or by making other written arrangements with Pexip.  

 

6.3 To the extent that the Data Controller or Pexip are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and Pexip agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.

 

6.4 This DPA incorporates the Standard Contractual Clauses by reference. By executing this DPA, the Data Controller enters into this DPA (including the Standard Contractual Clauses referenced herein, if applicable) on behalf of itself and any affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Pexip.

 

6.5 It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.

 

6.6 Transfers outside EEA: In relation to EU data protected by the EU GDPR, the EU Standard Contractual Clauses apply to such transfers, completed as follows:

 

6.6.1 MODULE ONE: Transfer controller to controller of the EU SCCs shall apply when both Parties act as a Controller.

 

6.6.2 MODULE TWO: Transfer controller to processor of the EU SCCs shall apply when Pexip is a Processor.

 

6.6.3 MODULE THREE: Transfer processor to processor of the EU SCCs shall apply when both Parties act as a Processor.

 

6.6.4 Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1,2, 4 of this DPA.

 

6.6.5 Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 3 of this DPA.

 

6.6.6 Clause 7 – Docking clause (optional) will apply.

 

6.6.7 Clause 9 (a) OPTION 2 – General written authorization for subprocessors will apply and the time period to object will be Thirty days.

 

6.6.8 Clause 11(a) – OPTION to use independent resolution body shall not apply.

 

6.6.9 Clause 17, Option 2 will apply, and the parties agree that this shall be the law of Norway.

 

6.6.10 Clause 18(b), disputes shall be resolved before the courts of Norway. 

 

6.7 Transfers outside Switzerland: In relation to Personal Data that is protected by the Swiss FADP, the EU SCCs will apply in accordance with Section 6.6 with the following modifications:

 

6.7.1 any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss FADP;

 

6.7.2 references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and

 

6.7.3 references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the FDPIC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss FADP, in which event the Swiss SCCS shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in Annex 1,2,3,4 to this Addendum (as applicable).

 

6.8 Transfers outside UK: In relation to Personal Data that is protected by the UK GDPR, the UK SCCs shall apply, completed as follows:

 

6.8.1 The EU Standard Contractual Clauses shall be deemed amended as specified by the UK SCCs;

 

6.8.2 Reference to Table 1 shall be satisfied by the information in Annex 1;

 

6.8.3 Table 2, The version of the Approved EU SCCs shall be the EU SCCs identified in Sec 1.4.11 and completed as set out in Section 6.6 above;

 

6.8.4 Reference to Table 3 shall be se satisfied by the information in Annexes 1, 2, 3 and 4;

 

6.8.5 Table 4, Importer and Exporter shall have the rights outlined in Section 19 of UK SCCs.

 

 

7. Information Obligations and Incident Management 

 

7.1 When Pexip becomes aware of an incident that impacts the processing of the Personal Data that is the subject of the Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.  

 

7.2 The term “incident” used in Section 7.1 shall be understood to mean in any case:

 

7.2.1 a complaint or a request with respect to the exercise of a data subject’s rights under Data Protection Law;

 

7.2.2 an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;

 

7.2.3 any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;

 

7.2.4 any breach of the security and/or confidentiality as set out in Sections 3 and 4 of this Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place;

 

7.2.5 where, in the opinion of Pexip, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or Pexip are subject.

 

7.3 Pexip shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under applicable Data Protection Law, Pexip shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 36 hours of having become aware of such an incident. The Data Controller is responsible for notifying the incident to the relevant supervisory authority, if obligated to do so.

 

7.4 In the event the Data Controller is obliged to communicate an incident to the data subjects, Pexip shall assist the Data Controller, including the provision, if available, of necessary contact information to the affected data subjects. The Data Controller shall bear any costs related to such communication to the data subject, unless the incident is caused by circumstances for which Pexip is responsible.  

 

7.5 Any notifications made to the Data Controller pursuant to this Section 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1 of this Addendum, and shall contain:

 

7.5.1 a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

 

7.5.2 the name and contact details of Pexip’s data protection officer or another contact point where more information can be obtained;

 

7.5.3 a description of the likely consequences of the incident; and

 

7.5.4 a description of the measures taken or proposed to be taken by Pexip to address the incident including, where appropriate, measures to mitigate its possible adverse effects. 

 

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

 

 

8. Contracting with Sub-Processors 

 

8.1 The Data Controller authorises Pexip to engage the sub-processors as listed in Annex 4, for the platform and service-related activities as described in Annex 2. Pexip shall not add or replace any such sub-processors without giving the Data Controller 30 days advance notice of the introduction of a new subprocessor, providing the Data Controller an opportunity to object to such changes. The Data Controller may object to the sub-processor by providing notice of termination as prescribed in the Agreement. This termination right is the Data Controller’s sole and exclusive remedy if the Data Controller objects to any new sub-processor.

 

8.2 Notwithstanding any authorisations by the Data Controller within the meaning of the preceding paragraphs, Pexip shall remain fully liable vis-à-vis the Data Controller for the performance of any such subprocessor that fails to fulfil its data protection obligations.

 

8.3 The consent of the Data Controller pursuant to paragraphs 8.1 and shall not alter the fact that explicit consent is required under Section 6 for the engagement of sub-processors in a country outside the European Economic Area without a suitable level of protection. Pexip shall not engage any sub-processors located outside of European Economic Area without employing an acceptable instrument for cross-border data transfers such as Standard Contractual Clauses, cf. clause 6 above.  

 

8.5 Pexip shall ensure that the sub-processor is bound by agreement by the same data protection obligations of Pexip under this Addendum, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.

 

8.5 The Data Controller may request that Pexip audit a sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist in obtaining a third-party audit report concerning the sub-processor’s operations) to ensure compliance with its obligations imposed by Pexip in conformity with this Addendum.

 

8.6 Pexip shall agree a third party beneficiary clause with the sub-processor whereby - in the event Pexip has factually disappeared, ceased to exist in law or has become insolvent - the Data Controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

 

 

9. Returning or Destruction of Personal Data 

 

9.1 Upon termination of this Addendum, upon the Data Controller’s written request, and upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, Pexip shall, at the discretion of the Data Controller, either delete, destroy, anonymize or return all Personal Data to the Data Controller and destroy or return any existing copies.

 

9.2 Pexip shall notify all third parties supporting its own processing of the Personal Data of the termination of the Addendum and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.

 

 

10. Assistance to Data Controller 

 

10.1 Pexip shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the ”Data Protection Law”.

 

10.2 Pexip shall assist the Data Controller in ensuring compliance with the obligations pursuant to Section 4 (Security) and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to Pexip.

 

10.3 Pexip shall make available to the Data Controller all information necessary to demonstrate compliance with Pexip’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller in accordance with section 4.3.

 

10.4 Pexip shall assist the Data Controller in carrying out data protection impact assessments (DPIAs) or equivalent assessment of Processing when requested.

 

10.5 The Data Controller shall bear any costs accrued by Pexip related to any assistance mentioned in sections 10.1 – 10.4, unless otherwise agreed.  

 

 

11. Liability and Indemnity 

 

11.1 Notwithstanding any other provisions in this Addendum, each Party's liability towards the other for indirect, consequential, or punitive damages shall be excluded, except as expressly provided in this Addendum. However, nothing in this Addendum shall limit or exclude either Party's liability for breaches of Data Protection Laws, including obligations under GDPR, or for any other liability which cannot be excluded or limited under applicable law. Both Parties commit to maintaining compliance with all relevant data protection regulations and to cooperate in good faith to address any data protection issues that arise in the course of providing and using the services.  

 

 

12. Duration and Termination 

 

12.1 This Addendum shall come into effect as of the date of this contract execution as noted in the signature block.

 

12.2 Termination or expiration of this Addendum shall not discharge Pexip from its confidentiality obligations pursuant to Section 3.

 

12.3 Pexip shall process Personal Data until the date of termination of the Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.

 

 

13. CCPA obligations

 

13.1 Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Addendum.   

 

13.1.1 “Contracted Business Purposes” means the services described in the Agreement and Appendices and Addendums for which the Service Provider receives or accesses personal information.

 

13.1.2 "Authorized Persons" means the persons or categories of persons that the Data Controller authorizes to provide the Service Provider with personal information processing instructions, as identified in the appendices.  

 

13.1.3 “Business” under CCPA is referred as Data Controller in this section.

 

13.1.4 “Processor” is referred as “Service Provider” in line with CCPA terminology in this section.

 

13.1.5 Other definitions used in this Addendum shall have the meaning of the defined terms from Cal. Civ. Code § 1798.140; Cal. Code Regs. tit. 11, §999.301. 

 

Service Provider  

 

13.2 Service Provider will only collect, use, retain, or disclose personal information for the Contracted Business Purposes for which the Data Controller provides or permits personal information access in accordance with the Data Controller's written instructions from Authorized Persons.  

 

13.3 Service Provider will not collect, use, retain, disclose, sell, or otherwise make personal information available for Service Provider's own commercial purposes or in a way that does not comply with the CCPA. If a law requires the Service Provider to disclose personal information for a purpose unrelated to the Contracted Business Purpose, the Service Provider must first inform the Data Controller of the legal requirement and give the Data Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.

 

13.4 Service Provider will process personal information only as necessary to perform the Services, and will not, under any circumstances, collect, combine, share, use, retain, access, share, transfer, or otherwise process personal information for any purpose not related to providing such Services. Service Provider will refrain from taking any action that would cause any transfers of Customer Data to or from Business to qualify as “selling personal information” under CCPA.

 

13.5 Service Provider must promptly comply with any Data Controller request or instruction from Authorized Persons requiring the Service Provider to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing.

 

13.6 If the Contracted Business Purposes require the collection of personal information from individuals on the Data Controller's behalf, Service Provider will always provide a CCPA-compliant notice at collection that the Data Controller specifically pre-approves in writing. Service Provider will not modify or alter the notice in any way without the Data Controller's prior written consent.

 

13.7 Service Provider will use commercially reasonable security procedures that are reasonably designed to maintain an industry-standard level of security, prevent unauthorized access to and/or disclosure of Customer Data.  An outline of minimum-security standards can be found at Annex 3 of this DPA.  Upon request by Data Controller, Service Provider shall provide information security compliance documentation and allow other measures including audits once every 12 months.

 

13.8 Service Provider will retain Personal Data only for as long as the Data Controller deems it necessary for the permitted purpose, or as required by applicable laws. After termination of this Agreement and upon Data Controller’s written request, Service Provider will either destroy or return Personal Data, unless legal obligations require storage of such Personal Data. 

 

Data Controller’s CCPA Obligations 

 

13.9 Service Provider will reasonably cooperate and assist Data Controller with meeting the Data Controller’s CCPA compliance obligations (which address obligations with regard to security, breach notifications, data risk assessments, and prior consultation) and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of the Service Provider's processing and the information available to the Service Provider.  

 

13.10 Service Provider must notify the Data Controller immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party's compliance with the CCPA. Specifically, the Service Provider must notify the Data Controller within ten (10) working days if it receives a verifiable consumer request under the CCPA. 

 

Subcontracting 

 

13.11 Service Provider may employ subcontractors to provide the Contracted Business Services, provided always that such engagement shall be subject to a written contract binding with each such Sub-Service Provider to terms no less onerous than those contained within this addendum.  Annex 4 of this DPA provides a list of Sub-service providers. Any subcontractor used must qualify as a service provider under the CCPA and Service Provider cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.

 

13.12 Upon Data Controller’s written request, for each subcontractor used, Service Provider will give Data Controller an up-to-date list disclosing.

 

13.12.1 The subcontractor's name, address, and contact information.

 

13.12.2 The type of services provided by the subcontractor.

 

13.12.3 The personal information categories disclosed to the subcontractor in the preceding 12 months.

 

13.13 Service Provider remains fully liable to the Data Controller for the subcontractor's performance of its agreement obligations.

 

13.14 Upon the Data Controller's written request, Service Provider will provide the Data Controller with the privacy and security assurances relating to subcontractor's compliance with its personal information obligations. 

 

Warranties 

 

13.15 Both parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing personal information.

 

13.16 Service Provider certifies that it understands this Addendum's and the CCPA's restrictions and prohibitions on selling personal information and retaining, using, or disclosing personal information outside of the parties' direct business relationship, and it will comply with them.

 

13.17 Service Provider warrants that it has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the Contracted Business Purposes or otherwise performing under this Agreement. Service Provider must promptly notify the Data Controller of any changes to the CCPA's requirements that may adversely affect its performance under the Agreement.  If Data Controller has reasonable cause to suspect that Service Provider is not providing the services in a manner consistent with CCPA and allowing unauthorized use of Personal Data, the Data Controller may (i) submit an inquiry to privacy@Pexip.com, (ii) cease use of their license until they are able to confirm the compliance, or (iii) with evidence of non-compliance of CPRA terminate the Agreement between the parties. 

 

Children 

 

13.18 Service provider affirms that it shall not sell Children’s personal information without affirmative authorization as required under CCPA §1798.120 by 

 

13.18.1 consumer’s parent/guardian for consumers who are less than 13 years of age and  

 

13.18.2 oneself for consumers at least 13 years of age and less than 16 years of age. 

 

 

14. Data Access from public Authorities 

 

14.1 Pexip agrees to notify the Data Controller and, where possible, the data subject promptly (if necessary with the help of the Data Controller) if it:

 

14.1.1 receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

 

14.1.2 becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

 

14.2 If Pexip is prohibited from notifying the Data Controller and/or the data subject under the laws of the country of destination, Pexip agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Pexip agrees to document its best efforts in order to be able to demonstrate them on request of the Data Controller.

 

14.3 Where permissible under the laws of the country of destination, Pexip agrees to provide the Data Controller, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

 

14.4 Pexip agrees to preserve the information pursuant to 14.1 to 14.3 for the duration of the contract and make it available to the competent supervisory authority on request.

 

14.5 Clauses 14.1 to 14.3 are without prejudice to the other obligations of Pexip to inform the Data Controller promptly where it is unable to comply with these Clauses.

 

14.6 Pexip agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Pexip shall, under the same conditions, pursue possibilities of appeal. When challenging a request, Pexip shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules.

 

14.7 Pexip agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the Data Controller. It shall also make it available to the competent supervisory authority on request.

 

14.8 Pexip agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. 

 

 

15. Miscellaneous 

 

15.1 In the event of any inconsistency between the provisions of this Addendum and the provisions of the Agreement, the provisions of this Addendum shall prevail.

 

15.2 In addition to Section 1.2 of this DPA, this Addendum is governed by the laws noted in the Agreement.

 

15.3 The Data Controller agrees to maintain the notification email address updated with Pexip for receiving all notifications under this Addendum.  

 

NOW THEREFORE, the Parties hereby execute this addendum.  

 

 

Annex 1 – List of parties and competent supervisory authority 

 

LIST OF PARTIES 

 

1. Data exporter 

 

2. Data importer 

 

Activities relevant to the data transferred under these Clauses: Refer Section 1.1 of this DPA. 

 

COMPETENT SUPERVISORY AUTHORITY 

 

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be 

1. the supervisory authority applicable to the Data Controller in its EEA country of establishment or, 
2. where the Data Controller is not established in the EEA, the supervisory authority applicable in the EEA country where the Data Controller's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or  
3. where the Data Controller is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.  
4. with respect to Customer Data regulated by the UK GDPR, the competent supervisory authority is the Information Commissioners Office (the "ICO"). 
5. with respect to Customer Data regulated by the Brazil General Data Protection Law or LGPD, the competent supervisory authority is the ANPD - “Autoridade Nacional de Proteção de Dados’’. 
6. with respect to Customer Data to which the Swiss FADP applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner. 

Annex 2 – Description of transfer 

 

Categories of data subjects whose personal data is transferred 

 

The categories of data subjects may include the following:  

• The Data Controller’s contractors, employees or meeting participants.

 

 

Categories of personal data transferred 

 

This section should be read in the light of Services procured by the customer, the content titled as below is applicable only for the relevant Services. 

• “Pexip Service” –for a customer who purchase the Pexip hosted service 
• Pexip Engage – for a customer who purchase the Pexip hosted Engage service (formerly known under the brand “Skedify”) 
• Support data – applicable for all above mentioned services 

 

1. Corporate CRM data 

 

Personal data that may be collected, processed and transferred related to customer relationship activities, such as sales, marketing, customer success, professional services, support. For this purpose, Pexip acts as the Data Controller. 

• Full Name 
• Email Address 
• Telephone Number 
• Title/Job Function 

 

2. Software as a Service (SaaS), Public Cloud data (“Pexip Service”) including Interoperability Services 

 

Personal data that may be collected, processed and transferred related to provision and the use of the Pexip Service. For this purpose, Pexip acts as the Data Processor. 

 

Pexip Service CRM data: 

Personal data for commercial or technical customer relationship for the Pexip Service: 

• Full Name 
• Email Address 
• Telephone Number
   

Provisioning Data:  

Personal data to establish services for an individual video user (personal account): 

• Display Name 
• Email Address 
• Video Address

 

Personal data to establish services for a video endpoint when registered as a personal endpoint: 

• Video Address 
• Display Name 

Personal data to establish OTJ (“One-Touch-Join”) services on a video endpoint: 

• Meeting organiser Name 
• Meeting organiser Email Address 
• Mailbox Address (configuration data to submit OTJ services to a personal assigned endpoint) 
• Any personal data added to the Subject field of a calendar invite 
• Retrieved, but discarded: Meeting organiser Email Address, Meeting participant Name and Email Address, and any personal data included in the meeting body or properties of a calendar invite 

 

Meeting Metadata (Call Detail Records “CDR”):  

The following metadata may include personal data related to the use of the Pexip Service: 

• Meeting Title 
• Meeting participant names 
• Call log details 
• Display name of participants 
• Inbound URIs and/or IP addresses of participants 
• Inbound telephone numbers 
• Call duration 

 

Conference Media:  

The following non-persistent media data may be processed during any videoconferencing session: 

• Audio streams 
• Video streams 
• Content sharing 
• Audio avatars (profile picture)

  

Meeting Chat Messages:  

The following non-persistent information may be processed if a person uses the chat tool to relay instant messages to others or groups attending the meeting: 

• Participant Name 
• Chat Message 
• Timestamp of Message 
  
  

3. Pexip Engage Service data (“Pexip Engage”) 

 

Personal data that may be collected, processed and transferred related to provision and the use of the Pexip Engage (formerly known under the brand “Skedify”). For this purpose, Pexip acts as the Data Processor: 

 

Provisioning Data:  

Personal data for employees of the Data Controller: 

• Full Name 
• Professional email 
• Professional phone number 
• Job function within the company including expertise and assigned offices 
• Language Preferences 
• Fixed video link 
• Audio avatars (profile picture) 

 

Personal data for end users/clients of the service: 

• Full Name 
• Email 
• Telephone number (mobile/landline) 
• Customer number 
• Company name 
• Language 

 

Meeting data and metadata: 

The following data may be processed during meeting creation and management 

• Date and Time of the meeting (& creation) 
• Free text entered by the end user while scheduling a meeting 
• Meeting Subject/Reason 
• Answers to questions configured by the enterprise and answered by the customer and/or the agent 
• Meeting location (branch, home address, video link, phone no) 
• Assigned employee (Provisioning data) 
• Metadata of the meeting defined by the enterprise 
• Meeting notes added by the employee 
• Meeting outcome (incl cancellation and completion) 
• Video-conference call log details 
• Display name of participants 
• Inbound URIs and/or IP addresses of participants 
• Inbound telephone numbers 
• Call duration 

 

Conference Media: 

The following conference data may be processed during any conference session: 

• Conference recording (video streams, audio streams, content shared, pinned moments with notes) 
• Chat messages 
• Uploaded files 
• Thumbnails of uploaded files 

 

4. Support Data 

 

The following personal data could be associated with incident management when a ticket is opened with the Pexip support desk and requests help to redress an issue. For this purpose, Pexip acts as the Data Processor. 

• Meeting Metadata 
• IP address of device that scheduled a meeting; IP address of devices in a meeting; Customer Engagement Services Provisioning Data. 
• Device logs 
• Call log details if applicable for troubleshooting, which usually includes H323 and SIP call negotiation and maintenance events from the local and remote terminals.  
• Device specific details such as applications, operating system, hardware components, performance metrics, and firmware, application names for applications that are able to be shared from the end user’s device, global contact/address lists associated to the device. 
• diagnostic snapshots or crash dumps 
• Any other personal data supplied by the individual raising the support ticket. 

Personal data could be present in the events or logs data collected automatically in scenarios described below. For this purpose, Pexip acts as the Data Controller. 

• End users enable error monitoring, incident reporting in Pexip Client application at OS or app level.  
• Customer Administrators enable error monitoring, incident reporting at the customer hosted servers. 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

 

In regard to potential sensitive data processed through the Pexip Service (such as chat messages), the Pexip Service encrypts data in transit and at the destination, but does not persistently store the data; it is deleted when the conference concludes. Likewise, media streams are encrypted, non-persistent data. Other elements of data listed in Annex 2 for the Pexip Service do not have the possibility of containing sensitive data.  

 

In regard to potential sensitive data processed through the Pexip Engage service, such as conference recordings and chat messages, the Pexip Engage service encrypts data in transit and at the destination, and persistently store the data strictly according to the service data retention policy. Other elements of data listed in Annex 2 for the Pexip Engage service do not have the possibility of containing sensitive data, except where it is free form fields. 

 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) 

Continuous 

 

Nature of the Processing

In order to provide the contracted services, the processing activity may involve collection, storage, duplication, authentication, authorization, electronic viewing, media streaming, transferring, deletion and destruction of personal data. 

 

Purpose(s) of the data transfer and further processing

Pexip processes personal data on behalf of the Data Controller for the provision of individual users and endpoints to provide services including voice, video, chat, content sharing, scheduling for meeting participants, including professional services and service desk support.  

 

In addition, Pexip may anonymise personal data for reasons such as service analytics and product improvements. Pexip may also use your personal data for legal reasons such responding to a law enforcement inquiry.  

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 

The data will be retained till the end of contractual relationship, in compliance with data protection and data security policies and in accordance with the instructions of the Data Controller. 

Annex 3 – Security measures 

 

Technical and organisational measures including technical and organisational measures to ensure the security of the data.

  

This annexure describes the adopted security measures cemented in an Information Security Management System (ISMS) for the purpose of protecting Personal Data and information, primarily with a view to meeting pre-defined requirements of applicable Data Protection Law and privacy law across Controller markets. These requirements have largely been derived from legislation across the Data Controller markets mandating fundamental security measures for the protection of Personal Data and are intended to provide a harmonised and single standard.   We incorporate the requirements of data protection regulations into our control framework and reflect these requirements in policy and practice. Our data protection program which undergoes annual audits by third party auditors for conformity incorporates the following international standards: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO/IEC 27701. These standards are integral to our approach to comply with global data protection regulations.  

• ISO/IEC 27001: Provides a comprehensive framework for establishing, implementing, maintaining, and continually improving our ISMS, helping us manage the security of assets including financial information, intellectual property, employee details, and information entrusted to us by third parties.  

• ISO/IEC 27017: Offers guidelines on the information security aspects specific to cloud computing, enhancing the existing controls in ISO/IEC 27001 by addressing cloud service-specific risks and controls.  

• ISO/IEC 27018: A code of practice for protecting personal data in the cloud, ensuring that our cloud services adhere to applicable privacy regulations and best practices for personal data protection.  

• ISO/IEC 27701: Extends ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the company, helping us manage privacy risks related to personal information we process.  

The control requirements in the weblink table are applied for the protection of Personal Data on behalf of the Data Controller, are fully implemented at Pexip, and are a subset of the controls within Pexip’s data protection program.  

 

 

Annex 4 – List of approved sub-processors 

 

Pexip uses sub-processors to provide the best experience and service to partners, end customers, and end users when using our products or services. 

 

Sub-processor is a third-party data processor engaged by Pexip, who has or potentially will have access to or process service data or personal data. Pexip engages different types of sub-processors to perform various processing functions as further explained in the public article referenced to below in this document. 

 

Pexip undertakes to use reasonable selection process by which it evaluates the security, privacy and confidentiality practices of sub-processors that will or may have access to or process service data and personal data. Pexip requires its sub-processors to satisfy equivalent data protection obligations as those instructions documented from Data Controllers on Pexip also in such a manner that the processing will meet the requirements of applicable Data Protection Law. 

 

Pexip sub-processor list: https://help.pexip.com/service/subprocessors.htm 

Annex 5 – CCPA - Personal Information Processing Purposes and Details 

 

Contracted Business Purposes: The purposes mentioned in Annex 2 of this DPA for which the Service Provider receives or accesses personal information. 

 

Personal Information Categories: This Addendum involves the following types of Personal Information, as defined and classified in CCPA Cal. Civ. Code § 1798.140(o).